Most companies run a thorough check on a new vendor exactly once: during onboarding. After that, the relationship runs on trust, contract renewals, and the assumption that whatever was true at signing is still true today. For a vendor providing office supplies, that assumption rarely matters. For a vendor with access to systems, data, premises, or critical operations, it can matter a great deal.

Why onboarding checks aren't enough

A vendor approved two or three years ago was evaluated against the company it was at the time: a certain ownership structure, a certain financial position, a certain set of subcontractors. None of those are fixed. Ownership changes through acquisitions that aren't always announced. Financial health can deteriorate quietly until a vendor suddenly can't deliver. Subcontracting arrangements shift as the vendor grows, often without the original client ever being informed.

The result is a quiet gap between what a company believes about its vendor base and what is actually true. That gap doesn't show up in a spreadsheet. It shows up when a vendor is implicated in a sanctions case, when a data breach traces back to a subcontractor no one knew existed, or when a long-trusted supplier turns out to have been in financial distress for a year before the disruption became visible.

Where vendor risk typically hides

Ownership and control. A vendor's listed leadership and its actual decision-makers are not always the same. Changes in beneficial ownership, particularly through holding structures or offshore entities, can shift a vendor's risk profile without any visible change in how the relationship operates day to day.

Financial stability. A vendor's public-facing performance and its actual financial health can diverge well before either becomes obvious to a client. By the time payment delays or service degradation appear, the underlying problem has usually existed for months.

Subcontracted access. Vendors with access to systems, facilities, or sensitive information often extend that access, formally or informally, to their own subcontractors and partners. Each additional party is one the original due diligence never evaluated.

Reputational and regulatory exposure. Litigation, regulatory action, or reputational issues involving a vendor don't automatically surface to existing clients. They surface to whoever happens to be checking — and most companies aren't checking on an ongoing basis.

What ongoing vendor verification looks like

A due diligence process built for the life of the relationship, not just its start, typically includes:

Periodic re-verification, not a one-time check at onboarding — particularly for vendors with access to sensitive systems, data, or premises. Beneficial ownership monitoring, to catch changes in control before they show up as a problem in service delivery. Financial health checks that go beyond a credit rating snapshot, particularly for vendors that are critical to operations or difficult to replace quickly. OSINT and reputational monitoring, surfacing litigation, regulatory action, or reputational red flags that wouldn't appear in a standard compliance questionnaire. Risk-tiering, so the depth of ongoing verification matches the actual exposure — a vendor with system access or critical-path dependency warrants a different level of scrutiny than one providing a commodity service.

This isn't about treating every vendor with the same intensity. It's about matching verification effort to actual risk, and repeating it on a cadence that reflects how quickly circumstances can change — rather than relying on a snapshot taken once, years ago.

Before your next vendor review cycle

Three questions worth raising with procurement, legal, or compliance:

Which vendors were last verified more than two years ago, and have they had material access to systems, data, or operations since then? Do we know who any of our critical vendors subcontract to, or does our visibility stop at the name on the contract? If a vendor's ownership or financial position changed today, would we find out from them, or would we find out when something already went wrong?

A vendor relationship that was verified correctly once is not the same as one that stays verified. Building periodic, risk-based re-checks into vendor management turns due diligence from a gate at onboarding into an ongoing control. For a confidential discussion about reviewing a specific vendor or your overall third-party risk process, reach out to sales@comm42.eu.

Vendor Due Diligence: The Check Most Companies Run Once, Then Never Again